Example 1 with SecurityExpressionHandler
use of org.springframework.security.access.expression.SecurityExpressionHandler in project spring-security by spring-projects.
the class WebExpressionVoterTests method grantsAccessIfExpressionIsTrueDeniesIfFalse.
@Test
public void grantsAccessIfExpressionIsTrueDeniesIfFalse() {
WebExpressionVoter voter = new WebExpressionVoter();
Expression ex = mock(Expression.class);
EvaluationContextPostProcessor postProcessor = mock(EvaluationContextPostProcessor.class);
when(postProcessor.postProcess(any(EvaluationContext.class), any(FilterInvocation.class))).thenAnswer(new Answer<EvaluationContext>() {
public EvaluationContext answer(InvocationOnMock invocation) throws Throwable {
return invocation.getArgumentAt(0, EvaluationContext.class);
}
});
WebExpressionConfigAttribute weca = new WebExpressionConfigAttribute(ex, postProcessor);
EvaluationContext ctx = mock(EvaluationContext.class);
SecurityExpressionHandler eh = mock(SecurityExpressionHandler.class);
FilterInvocation fi = new FilterInvocation("/path", "GET");
voter.setExpressionHandler(eh);
when(eh.createEvaluationContext(user, fi)).thenReturn(ctx);
when(ex.getValue(ctx, Boolean.class)).thenReturn(Boolean.TRUE).thenReturn(Boolean.FALSE);
ArrayList attributes = new ArrayList();
attributes.addAll(SecurityConfig.createList("A", "B", "C"));
attributes.add(weca);
assertThat(voter.vote(user, fi, attributes)).isEqualTo(AccessDecisionVoter.ACCESS_GRANTED);
// Second time false
assertThat(voter.vote(user, fi, attributes)).isEqualTo(AccessDecisionVoter.ACCESS_DENIED);
}
Also used :
SecurityExpressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler)
Expression(org.springframework.expression.Expression)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
ArrayList(java.util.ArrayList)
EvaluationContext(org.springframework.expression.EvaluationContext)
FilterInvocation(org.springframework.security.web.FilterInvocation)
Test(org.junit.Test)
Example 2 with SecurityExpressionHandler
use of org.springframework.security.access.expression.SecurityExpressionHandler in project spring-security by spring-projects.
the class AbstractAuthorizeTag method getExpressionHandler.
/*------------- Private helper methods -----------------*/
@SuppressWarnings({ "unchecked", "rawtypes" })
private SecurityExpressionHandler<FilterInvocation> getExpressionHandler() throws IOException {
ApplicationContext appContext = SecurityWebApplicationContextUtils.findRequiredWebApplicationContext(getServletContext());
Map<String, SecurityExpressionHandler> handlers = appContext.getBeansOfType(SecurityExpressionHandler.class);
for (SecurityExpressionHandler h : handlers.values()) {
if (FilterInvocation.class.equals(GenericTypeResolver.resolveTypeArgument(h.getClass(), SecurityExpressionHandler.class))) {
return h;
}
}
throw new IOException("No visible WebSecurityExpressionHandler instance could be found in the application " + "context. There must be at least one in order to support expressions in JSP 'authorize' tags.");
}
Also used :
ApplicationContext(org.springframework.context.ApplicationContext)
SecurityExpressionHandler(org.springframework.security.access.expression.SecurityExpressionHandler)
IOException(java.io.IOException)
Aggregations
SecurityExpressionHandler (org.springframework.security.access.expression.SecurityExpressionHandler)2
IOException (java.io.IOException)1
ArrayList (java.util.ArrayList)1
Test (org.junit.Test)1
InvocationOnMock (org.mockito.invocation.InvocationOnMock)1
ApplicationContext (org.springframework.context.ApplicationContext)1
EvaluationContext (org.springframework.expression.EvaluationContext)1
Expression (org.springframework.expression.Expression)1
FilterInvocation (org.springframework.security.web.FilterInvocation)1
